svn commit: r1821600 - in /ofbiz/ofbiz-framework/trunk/framework: security/config/ webapp/src/main/java/org/apache/ofbiz/webapp/control/

Author: jleroux
Date: Fri Jan 19 08:39:05 2018
New Revision: 1821600

URL: http://svn.apache.org/viewvc?rev=1821600&view=rev
Log:
Improved: Token Based Authentication
(OFBIZ-9833)

No functional change

As reported by Jinghai on dev ML we should better use "Authorization" than
 "Authorisation" when retrieving the JWT token, even if both are accepted
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
Also improves the comment on token ttl

Thanks: Jinghai for report

Modified:
    ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Modified: ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties?rev=1821600&r1=1821599&r2=1821600&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties (original)
+++ ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties Fri Jan 19 08:39:05 2018
@@ -138,5 +138,5 @@ use-external-server=N
 external-server-name=localhost:8443
 # -- Query part of the URL to use
 external-server-query=/example/control/
-# -- Time To Live of the token send to the external server
+# -- Time To Live of the token send to the external server in seconds
 external-server-token-duration=30

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java?rev=1821600&r1=1821599&r2=1821600&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java Fri Jan 19 08:39:05 2018
@@ -202,7 +202,7 @@ public class ContextFilter implements Fi
                     String webAppName = UtilHttp.getApplicationName(httpRequest);
                     String dnsName = ExternalLoginKeysManager.getExternalServerName(httpRequest);
                     long timeToLive = ExternalLoginKeysManager.getJwtTokenTimeToLive(httpRequest);
-                    // We would need a Bearer token (in Authorisation request header) if we were using Oauth2, here we don't, so no Bearer
+                    // We would need a Bearer token (in Authorization request header) if we were using Oauth2, here we don't, so no Bearer
                     value = ExternalLoginKeysManager.createJwt(externalServerUserLoginId, dnsName, webAppName , timeToLive);
                 }
                 if (value != null) return value;

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1821600&r1=1821599&r2=1821600&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Fri Jan 19 08:39:05 2018
@@ -37,6 +37,7 @@ import org.apache.ofbiz.entity.Delegator
 import org.apache.ofbiz.entity.DelegatorFactory;
 import org.apache.ofbiz.entity.GenericEntityException;
 import org.apache.ofbiz.entity.GenericValue;
+import org.apache.ofbiz.entity.util.EntityQuery;
 import org.apache.ofbiz.entity.util.EntityUtilProperties;
 import org.apache.ofbiz.service.LocalDispatcher;
 import org.apache.ofbiz.webapp.WebAppUtil;
@@ -45,7 +46,6 @@ import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwtBuilder;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
-import org.apache.ofbiz.entity.util.EntityQuery;
 
 /**
  * This class manages the authentication tokens that provide single sign-on authentication to the OFBiz applications.
@@ -199,9 +199,9 @@ public class ExternalLoginKeysManager {
                     LoginWorker.setWebContextObjects(request, response, delegator, dispatcher);
                 }
 
-                String authorisationHeader = request.getHeader("Authorisation");
-                if (authorisationHeader != null) {
-                    boolean jwtOK = checkJwt(authorisationHeader, userLogin.getString("userLoginId"), getExternalServerName(request), UtilHttp.getApplicationName(request));
+                String authorizationHeader = request.getHeader("Authorization");
+                if (authorizationHeader != null) {
+                    boolean jwtOK = checkJwt(authorizationHeader, userLogin.getString("userLoginId"), getExternalServerName(request), UtilHttp.getApplicationName(request));
                     if (!jwtOK) {
                         Debug.logWarning("*** There was a problem with the JWT token, loging out the current user: " + externalServerUserLoginId, module);
                         LoginWorker.logout(request, response);